I have seen a lot of people struggle when using the image settings in Cloud Pak for Business Automation (CP4BA). I will make the case for why you should almost never use any of the image settings in the CR file.
As mentioned in
Choosing image tags or digests, there are two main methods that images are pull.
- via image tag settings
- via image digests
If sc_image_repository is set to its default value of cp.icr.io then it will pull the images using digests.
When this setting is used the operator will pull the image from the proper repository location as it exists in cp.icr.io and it will use the proper digest according to the appVersion that is set in the CR file. So you should not use any individual image repository or tag settings as the operator knows exactly where each images exists and will pull the proper version for your version of the product.
If sc_image_repository is set to any other value then it will use image tags to pull the images.
When this behavior is used it will pull images from the exact location mentioned in the setting so all images will need to be in the same folder.
By default it will use a tag which matches exactly to the appVersion or what is set in sc_image_tag. This tag will apply to all images being pulled.
The main issue with this is that CP4BA images do not use a consistent tagging schema and generally they vary from one image to the next. Because of this you may end up having to use individual image tag settings for all components. This would also need to be maintained from version to version to avoid problems.
This is a painful experience for an admin to maintain and it is not recommended.
When you have access to the internet and are pulling images from the IBM Entitled Registry, you must use cp.icr.io and will have the best experience.
When you setup an air gap installation mirroring images from the IBM Entitled Registry and other sources, you must use cp.icr.io to have you the best experience.
Note: It is not supported to do a fully air-gapped install without mirroring the images according to the air gap steps.
So given these two point it seems clear that you should not attempt to use any of the image repository settings. The image repository settings will override the default behavior so it can actually break things that otherwise would have worked by default.
If you happen to use a CR template file which includes individual image tag and repository settings then it is recommended to remove them and use the behavior you get when sc_image_repository is set to cp.icr.io. In addition, if you have an
air gapped environment be sure that you have followed the steps that involve mirroring the online registries.
There is two main uses for the individual image repository and tag settings which are specific to a single image.
- You need to temporarily workaround a defect in the IBM Entitled Registry. If these issues occur, they are usually fixed quickly before most people would not notice them.
- You need to apply a single image fix like a testfix, hot fix or interim fix that only applies to a single image and does not relate to a new product appVersion.
Note: Most interim fixes do include operator updates and a new appVersion.
In these scenarios, you would need to remember to remove the settings when you upgrade or when the fix is no longer needed.
An additional benefit of using digests to pull images is that it makes use of a hash for the container so it is more tamper proof.
In conclusion, it is best to not use any of the image repository and tag setting in your Cloud Pak for Business Automation CR file and use the default image pulling behavior that the product offers. In rare circumstances, you may be directed by support or a single image interim fix instructions to apply specific image settings although these are temporary and should be removed when upgrading or removing the special image.
#bestpractices#CloudPakforBusinessAutomation